SAML Connections

In the Cloud Administration Console, you can configure connections between SAML-enabled web or SaaS applications (SPs) and the identity router (the IdP). These connections provide users with SSO access to those applications through the application portal or, if configured, Integrated Windows Authentication (IWA).

RSA provides out-of-the-box SAML applications, such as Salesforce and Dropbox, in the Application Catalog. For instructions on configuring the SSO workflow for your specific application, sign into RSA Link (https://community.rsa.com/community/products/securid) and search for the application you want to configure. For instructions on configuring your own connections to SAML applications, see Add a SAML Application.

SAML Metadata

SAML metadata is one of the standard means by which SAML-enabled IdPs and SPs exchange configuration information and establish two-way trust. When configuring a connection between the identity router and a SAML-enabled application, you can import SAML metadata from the SP to prepopulate SP-related fields in the configuration wizard. After saving an application configuration, you can export the SAML IdP metadata from My Applications, and send it to the SP administrator.

Authentication Workflow

When a user tries to access an SP through a direct link or through the application portal, the identity router authenticates the user, if necessary, and sends a SAML response to the application. The response includes a SAML assertion, which contains XML-encoded identity information about the authenticated user. If the application trusts the SAML assertion, the user is permitted to access the application with no additional identity verification.

The authentication workflow between a SAML-enabled SP and the IdP is called the SSO profile and can be initiated by either the IdP or the SP. The workflow you configure for a SAML connection is determined by the SSO profile that the application supports.

IdP-Initiated SSO Profile

The workflow for an IdP-initiated SSO profile in RSA SecurID Access is illustrated in the following diagram:

The IdP-initiated workflow is described in the following steps:

A user opens a browser and signs into the application portal, either with an LDAP directory password or through IWA, and tries to access the protected, SAML-enabled application.

The identity router generates a response that contains the SAML assertion.

The identity router redirects the user’s browser to the application’s Assertion Consumer Service (ACS) URL along with the SAML response.

The ACS validates the assertion in the SAML response.

The user can access the application without providing additional credentials.

SP-Initiated SSO Profile

The workflow for an SP-initiated SSO profile in RSA SecurID Access is illustrated in the following diagram:

The SP-initiated workflow is described in the following steps:

A user who may or may not be signed into the application portal opens a browser.

The user tries to access the protected, SAML-enabled application.

The application generates a SAML request and sends it, through the browser, to the identity router.

The identity router receives the SAML request and, if necessary, authenticates the user using an LDAP directory password or IWA. The user is now signed into the identity router.

The identity router generates a response that contains the SAML assertion.

The identity router redirects the user’s browser to the application’s ACS URL along with the SAML response.

The ACS validates the assertion in the SAML response.

The user can access the application without providing additional credentials.